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International Application No. 




2 h DECEMBER 2003 

International Filing^E>ate_ 

INTERNATIONAL BUREAU OF WlPO 

PCT International Application 

Name of receiving Office and "PCX International Application" 



Applicant's or agent's file reference 

(if desired) (12 characters maximum) TEL0903.WOP0 



Box No. I TITLE OF INVENTION 

"USER AOTHEOTICATiaSI METHOD BASED ON THE UTILIZATION OF BIOiyiETRIC 
IDENTIFICATION TECHNICS AND RELATED ARCHITECTURE" 



Box No. n APPIJCANT 



I I This person is also inventor 



Name and address: (Family name followed by given name; for a legal entity, full official designation. 
The address mvst include postal code and name of country. The country of the address indicated in this 
Box is the applicant 's State (that is, country) of residence ifno State of residence is indicated below.) 

TELECOM ITALIA S.p.A. 

Piazza degli Affari, 2 
1-20123 MILANO 
Italy 



Telephone No. 

+ 39 02 86951 



Facsimile No. 



Teleprinter No. 



Applicant' s registration No. with the Office 



State (that is, country) of nationality: 

IT 


State (that is, cotmtry) of residence: 

IT 


This person is applicant | — ] all designated 
for the purposes of: 1 1 States 




all designated States except | | the United States | | the States indicated in 
the United States of Amenca 1 1 of America only | | the Supplemental Box 


Box No. in FURTHER APPLICANT(S) AND/OR (FURTHER) INVENTOR(S) 



Name and address: (Family name followed by given name; for a legal entity, fitll official designation. 
The address must include postal code and name of country. The country of the address indicated in this 
Box is the applicant 's State (that is, country) of residence if no State of residence is ineRcated below.) 

BALTATU. Madallna 
TELECOM ITALIA S.p.A. 
Via G. Reiss Romoll, 274 
1-10148 TORINO 
Italy 



This person is: 

I • I applicant only 

applicant and inventor 



□ inventor only (If this check-box 
is marked, do not fill in below.) 



Applicant's registration No. with the Office 



State (that is, country) of nationality; 

IT 


State (that is, country) of residence: 

IT 


This person is applicant [~1 all designated | | all designated States except 
for the purposes of: 1—1 States 1 i the United States of Amenca 




the United States | I the States indicated in 
of America only 1 1 the Si^plemental Box 


1 1 Fur&er applicants and/or (further) inventors are indicated on a continuation sheet. 


Box No. IV AGENT OR COMMON REPRESENTATIVE; OR ADDRESS FOR CORRESPONDENCE 


The person identified below is hereby/has been appointed to act on behalf 
of the applicant(s) before the competent International Authorities as: 


^ aeent 1 1 common 

^ ^ \ 1 representative 



Name and address: (Femily name followed by given name; for a legal entity, full official designation. 

The address must include postal code and name of country.) 

BATTIPEDE, Francesco 
PIRELLI & C. S.p.A. 
Vlale Sarca, 222 
1-20126 MILANO 
Italy 



Telephone No. 

+39 02 6442 3129 



Facsimile No. 

+39 02 6442 3190 



Teleprinter No. 



Agent* s registration No. with the Office 



□ 



Address for corres|;>ondence: Mark this check-box where no agent or common representative is/has been appointed and the 
space above is used instead to indicate a special address to which correspondence should be sent. 



Form PCT/RO/101 (first sheet) (March 2001 ; reprint January 2003) 



See Notes to the request form 



CONHRMATION COPY 



PCT/IB03/06186 



Sheet No. 



Continuation of Box No. HI FURTHER APPLICANT(S) AND/OR (FURTHER) INVENTOR(S) 

If none of the following sub-boxes is used, this sheet should not be included in the request. 


Name and address: (Family name followed by given name; for a legal entity, full official designation. 
The address must include postal code and name of country. The country of the address indicated in this 
Box IS the applicant s otaie (that is, countryj oj resiuence yno cucub oj resiaence is inaicaiea osiow.j 

D'ALESSANDRO, Rosalia 
TELECOM ITALIA S.p.A. 
Via G. Reiss Romoli, 274 
1-10148 TORINO 
Italy 


This person is: 

1 applicant only 

IX 1 applicant and inventor 

1 1 inventor only (If this check-box 

1 1 is marked, do not fill in below.) 


Applicant' s registration No. with the Office 


State (that is, country) of nationality: 

IT 


State (that is, counUyj 

IT 


of residence: 


This person is applicant I 1 all designated 1 1 all designated States except ["jTl the United States | 1 the States indicated in 

for tiSe purposes of: 1 {states I | the United States of Amenca LCJ ofAmencaonly ( | the Supplemental Box 


Name and address: (Fcmnly namefoUcmed by given ncmie; for a legal entity, fall official designation. 
The address must include postal code and name ^country. The country of the address indicated in this 
Box is the applicant's Slate(ihatis, countty)efresidenceifnoSaleofr^idenceisindicaledbelow,) 

D'AMICO, Roberta 
TELECOM ITALIA S.p.A. 
Via G. Reiss Romoli, 274 
1-10148 TORINO 
Italy 


This person is: 

1 1 applicant only 

|y 1 applicant and inventor 

1 1 inventor only (If this check-box 

\ 1 is marked, do not fill in below.) 


Applicant' s registration No. with the Office 


State (that is, country) of nationality: 

IT 


state (that is, country) of residence: 

IT 


This person is applicant | 1 all designated l j all designated States except f^l 

for the purposes of: 1 1 States | | the United States of Amenca 1^ 1 


the United States 1 1 the States indicated in 

of America only | | the Supplemental Box 


Name and address: (Family namefolhwed by given name; for a legal entity, full official designation. 
The address must include postal code and name of country. The country of the address indicated in this 
Boxistheapplicant's State (that is, country) ofresidenceifno State ofresidence is indicated below.) 


This person is: 

1 1 applicant only 

1 1 applicant and inventor 

1 1 inventor only (If this check-box 
1 1 is marked, do not fill in below.) 


Applicant's registration No. with the Office 


State (that is, country) of nationality: 


State (that is, country) of residence: 


This person is applicant | 1 all designated | 1 all designated States except | 1 the United States | | the States indicated in 

for the purposes of: 1 1 States | I the United States of Amenca I 1 of Amenca only | | the Supplemental Box 


Name and address: (Family name followed by given name; for a legal entity, full official designation. 
The address must include postal code and name ^country. The country of the address indicated in this 
Box is the applicant 's State (that is, country) of residence if no State of residence is indicated below.) 


This person is: 

1 1 applicant only 

1 1 applicant and inventor 

1 — 1 inventor only (If this check-box 
1 1 is marked, do not fill in below.) 


Applicant' s registrationNo. with the Office 


State (that is, country) of nationality: 


State (that is, country) of residence: 


This person is applicant l 1 all designated j 1 all designated States except | [ the United States [ 1 the States indicated in 

for the purposes of: I 1 States | | the United States of Amenca | | of America only | | the Supplemental Box 


1 J Further applicants and/or (further) inventors are indicated on another continuation sheet 
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Box No. V DESIGNATION OF STATES Mark the explicable check-boxes below; at least one must be marked. 



The following designations are hereby made under Rule 4.9(a): 
Regional Patent 

Bl AP ARIPO Patent: GH Ghana, GM Gambia, KE Kenya, LS Lesotho, MW Malawi, MZ Mozambique, SD Sudan, 
SL Sierra Leone, SZ Swaziland, TZ United Republic of Tanzania, UG Uganda, ZM Zambia, ZW Zimbabwe, and any other 
State which is a Contracting State of the Harare Protocol and of the PCT (if other kind of protection or treatment desired, 
specify on dotted line) 

Bl EA Eurasian Patent: AM Armenia, AZ Azerbaijan, BY Belarus, KG Kyrgyzstan, KZ Kazakhstan, MD Republic of Moldova, 
RU Russian Federation, TJ Tajikistan, TM Turkmenistan, and any other State which is a Contracting State of the Eurasian 
Patent Convention and of the PCT 

Bl EP European Patent: AT Austria, BE Belgium, BG Bulgaria, CH & LI Switzerland and Liechtenstein, CY Cyprus, CZ Czech 
Republic, DE Germany, DK Denmark, EE Estonia, ES Spain, FI Finland, FR France, GB United Kingdom, GR Greece, 
IE Ireland, IT Italy, LU Luxembourg, MC Monaco, NL Netherlands, PT Portugal, SE Sweden, SI Slovenia, SK Slovakia, 
TR Turkey, and any other State which is a Contracting State of the European Patent Convention and of the PCT 

183 OA OAPI Patent: BF Burkina Faso, BJ Benin, CF Central African Republic, CG Congo, CI Cote d'lvoire, CM Cameroon, 
GA Gabon, GN Guinea, GQ Equatorial Guinea, GW Guinea-Bissau, ML Mali, MR Mauritania, NE Niger, SN Senegal, 
TD Chad, TG Togo, and any other State which is a member State of OAPI and a Contracting State of the PCT (if other kind 
of protection or treatment desired, specify on dotted line) 



National Patent (if other kind of protection or 

81 AE United Arab Emirates Bl 

^ AG Antigua and Barbuda Bl 

Bl AL Albania 19 

Bl AM Armenia Bl 

AT Austria Bl 

AU Australia Bl 

Bl AZ Azerbaijan Bl 

Bl BA Bosnia and Herzegovina 

183 BB Barbados 

EQ BG Bulgaria 

Bl BR Brazil 

Kl BY Belarus 

JB BZ Belize BT 

Bt CA Canada 03 
IS CH & LI Switzerland and Liechtenstein IB 

CN China Bl 

CO Colombia Bl 

Bl CR Costa Rica IS 

OB CU Cuba 18 

Bl CZ Czech Republic Bl 

Bl BE Germany Bl 

Bl DK Denmark Bl 

ES DM Dominica Bl 

S9 DZ Algeria 

6B EC Ecuador Bl 

Bl EE Estonia IS 

Bl ES Spain 

Bl FI Finland B3 

Bl GB United Kingdom 89 
Bl GD Grenada Bl 

DB GE Georgia Bl 

Bl GH Ghana Bl 



treatment desired, specify on dotted line): 
GM Gambia 

HR Croatia 

HU Hungary 

ID Indonesia 

IL Israel 

IN India 

IS Iceland * 

JP Japan 

KE Kenya 

KG Kyrgyzstan 

KP Democratic People's Republic 

of Korea , 

KR Republic of Korea , 

KZ Kazakhstan 

LC Saint Lucia 
LK Sri Lanka 
LR Liberia 

LS Lesotho 

LT Lithuania 
LU Luxembourg 

LV Latvia 

MA Morocco 

MD Republic of Moldova 



89 NZ New Zealand 

Bl OMOman 

H PH Philippines 

09 PL Poland 

Bl PT Portugal 

Bl RO Romania 

09 RU Russian Federation 



Bl SC 

la SD 

61 SE 

[a SG 

Bl SK 
Bl SL 
Bl TJ 
Bl TM 
Bl TN 
Bl TR 
Bl TT 



Seychelles 
Sudan 
Sweden 
Singapore 

Slovakia 

Sierra Leone 

Tajikistan 

Turkmenistan 

Tunisia 

Turkey 

Trinidad and Tobago 



18 TZ United Republic of Tanzania 

Bl UA Ukraine 

83 UG Uganda 

Bl US United States of America . . . 



MG Madagascar 

MKThe former Yugoslav Republic of 

Macedonia 

MN Mongolia 

MWMalawi 

MX Mexico 

MZ Mozambique 

NO Norway 



Bl UZ Uzbekistan 

Bl VC Saint Vincent and the Grenadines 

Kl VN Viet Nam 

Bl YU Yugoslavia 

Bl ZA South Afirica 

Bt ZM Zambia 

Bl ZW Zimbabwe 



Check-boxes below reserved for designating States which have become party to the PCT after issuance of this sheet: 

□ □ □ 

□ □ □ 



Precautionary Designation Statement: In addition to the designations made above, the applicant also makes under Rule 4.9(b) all 
other designations which would be permitted under the PCT except any designation(s) indicated in the Supplemental Box as being 
excluded from the scope of this statement. The applicant declares that those adc^tional designations are subject to confirmation and that 
any designation which is not confirmed before the expiration of 15 months from the priority date is to be regarded as withdrawn by the 
applicant at the expiration of that time limit (Confirmation (includingfees) must reach the receiving Office within the 15-month time limit) 
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Supplemental Box If the Supplemental Box is not used, this sheet should not be included in the request 



1. If, in any of the Boxes, excej>i Boxes Nos, Vlllfi) to (v) forwhich 
a special continuation box is provided, the space is insufficient 

to jumish all the infonnation: in such case, write "Continuation 
of Box No.... " (indicate the number of the Box) and furnish the 
information in the same manner as required according to the 
captions of the Box in which the space was insufficient, in 
particular: 

(i) if more than two persons are to be indicated as applicants 
and/or inventors and no "continuation sheet " is available: in 
such case, write "Co?7tinuation of Box No. Ill" and indicate for 
each additional person the same type of information as required 
in Box No. III. TJie country of the address iiidicated in this Box 
is the applicant 's State (that is, country) of residence if no State 
of residence is indicated below; 

(ii) if, in Box No, U or in any of the sub-boxes of Box No, III, the 
indication "ihe States indicated in the Supplemental Box" is 
checked: in such case, write "Continuation of Box No. ZT" or 
" Continuation of BoxNoAU** or " Continuation ofBoxes No. U 
and No. HI" (as the case may be), indicate the name of the 
applicant(s) involved and, next to (each) such name, theState(s) 
(and/or, where applicable^ ARIPO, Eurasian, European or 
OAPI patent) for the purposes of which the named person is 
applicant; 

(Hi) if, in Box No. II or in any of the sub-boxes of Box No. HI, the 
inventor or the inventor/(q>pUcant is not inventor for the 
purposes of all designated States or for the purposes of the 
United States of America: in such case, write "Continuation of 
Box No. 11" or "Continuation ofBox No. m" or "Continuation 
ofBoxes No. Hand No. HI" (as the case may be), indicate the 
name of the inventor(s) and, next to (each) such name, 
theStatefs) (and/or, where applicable, ARIPO, Eurasian, 
European or OAPI patent) for the purposes of which the 
named person is inventor; 

(iv) if in addition to the agent(s) indicated in Box No. W, there are 
further agents: in such case, write "Continuation of 
Box No. IV" and indicate for each fixrther agent the same type 
of information as required in Box No. IV; 

(y) if in BoxNo. V, the name of any State (or OAPI) is accompanied 
by the indication "patent of addition," or "certificate of 
addition, " or if, in Box No. V, the name of the United States of 
America is accompanied by an indication "continuation " or 
"continuation-in-part": in such case, write "Continuation of 
Box No. V" and the name of each State involved (or OAPI), 
and after the name of each such State (or OAPI), the number of 
the parent title or parent application and the date of grant of 
the parent title or filing of the parent explication; 



Continuation of BOX No. IV 



ADDITIONAL AGENTS: 

Carlo BOTTERO. Pier Giovanni GIANNESI, Paolo 
MARKOVINA 

PIRELLI & C. S.p.A. 

Vlale Sarca, 222 
1-20126 MILANO 
Italy 

All enrolled at the Register of Italian Patent Attorneys 



(yi) if in Box No. VI, there are more than five earlier applications 
whose priority is claimed: in such case, write "Continuation 
of Box No, VI" and indicate for each additional earlier 
application the same type of information as required 
in Box No. VI. 



2. If, with regard to the precautionary designation statement 
contained in Box No. V, the applicant wishes to exclude any 
State(s) fi'om the scope of that statement: in such case, write 
*'Designation(s) excluded fi'om precautionary designation 
statement" and indicate the name or two-letter code of each 
State so excluded. 
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Box No. VI PRIORITY CLAIM 



The priority of the following earlier application(s) is hereby claimed: 



Filing date 
of earlier application 
(dqy/month/year) 



Number 
of earlier application 



Where earlier application is: 



national application: 
country or Member 
ofWTO 



regional application:* 
regional Office 



international application: 
receiving Office 



item (1) 



item (2) 



item (3) 



item (4) 



item (5) 



I 1 Further priority claims are indicated in the Supplemental Box. 



□ all items □ item (1) □ item (2) Q item (3) □ item (4) □ item (5) □ 



Supplemental Box 



Box No. Vn INTERNATIONAL SEARCHING AUTHORITY 



£?JJ!f International Searching Authority (ISA) (tf two or more International Searching Authorities are competent to carry out the 
mtemational search, mdicate the Authority chosen; the two-letter code may be used)'. ^ump^it^m lu carry om me 



ISA/ 



EP 



Request to use results of earlier search; reference to that search (if an earlier search has been carried out by or requested irom the 
International Searching Authority): ^ i j 



Date (dqy/month/year) 



Nimiber 



Country (or regional Office) 



BoxNo.Vni DECLARATIONS 



The following declarations are contained in Boxes Nos. VIIJ (i) to (v) (mark the explicable 
check-boxes below and indicate in the right column the number of each type of declaration): 

ri Box No. Vm (i) Declaration as to the identity of the inventor 



□ Box No. vm (ii) 



□ BoxNo. Vni(iii) 



Declaration as to the applicant's entitlement, as at the international jfilmg 
date, to apply for and be granted a patent 

Declaration as to the applicant's entitlement, as at the international filing 
date, to claim the priority of the earlier application 



Q Box No. vm (iv) Declaration of inventorship (only for the purposes of the designation of the 

United States of America) . 

Q Box No. vm (v) Declaration as to non-prejudicial disclosures or exceptions to lack of novelty : 
Form PCT/RO/101 (third sheet) (July 2002; reprint January 2003) 



Number of 
declarations 



See Notes to the request form 
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Box No. IX CHECK LIST; LANGUAGE OF FILING 



23 
9 
1 

3 



42 



This intemational application contains: 

(a) in paper form, the following number of 
sheets : 

request (including 

declaration sheets) : ^ 

description (excluding 
sequence listings and/or 
tables related thereto) 

claims 

abstract 
drawings 

Sub-total number of sheets 

sequence listings 

tables related thereto 

(for both, actual number of 
sheets if filed in paper form, 
whether or not also filed in 
computer readable form; 
see (c) below) 

Total number of sheets 

Qot) EH only in computer readable form 

(Section 801(a)(i)) 

(i) □ sequence listings 

(ii) □ tables related thereto 

(c) Q also in computer readable form 

(Section 801(a)(ii)) 

(i) Q sequence listings 

(ii) Q tables related thereto 

Type and number of carriers (diskette, 
CD-ROM, CD-R or other) on which are 
contained the 

O sequence listings: 

□ tables related thereto: 

(additional copies to be indicated under 
items 9(ii) and/or 10(ii), in right column) 



42 



This intemational application is accompanied by the following 
item(s) (mark the applicable check-boxes below and indicate in 
right column the number of each item): 

1. O calculation sheet 

2. □ original separate power of attorney 

3. □ original general power of attorney 

4. □ copy of general power of attorney; reference number, 

if any: 

5. □ statement explaming lack of signature 

6. □ priority docunient(s) identified in Box No, VI as 

item(s): 

7. Q translation of intemational application into 

(language): 

8. □ separate indications concerning deposited microorganism 

or other biological material 

9. O sequence listings in computer readable form 

(indicate type and number of carriers) 

(i) D copy submitted for the purposes of intemational search under 

Rule IZter only (and not as part of the intemational application) 

(ii) □ (only where check-box (b) (i) or (c)(i) is marked in left column) 

additional copies including, where applicable, the copy for the 
purposes of intemational search under Rule 13ter 

(iii) D together with relevant statement as to the identity of the copy or 

copies with the sequence listings menti oned in left column 

1 0. □ tables in computer readable form related to sequence listings 

(indicate type and number of carriers) 

(i) □ copy submitted for the purposes of intemational search under 

Section SQ2(\:>-quater) only (and not as part of the intemational 
application) 

(ii) □ (onfy where chedc-box (b) (ii) or (c)(ii) is marlced in left column) 

additional copies including, where applicable, the copy for the 
purposes of intemational search imder Section S02(h'quater) 

(iii) CD together with relevant statement as to the identity of the copy or 

copies with tiie tables mentioned in left column 

11. □ oth&T (specif): 



Number 
of items 



Figure of the drawings which 
should accompany the abstract 



Fig. 1 



Language of filing of the 

intemational application: 



Italian 



Box No. X SIGNATURE OF APPLICANT, AGENT OR COMMON REPRESENTATIVE 

Next to each sfgiiature, indicate the name cf the person sibling and the opacity in which the person signs (ff such copadty is not obvious from reading the request). 




BATTiPEDE. Francesco 



December 24, 2003 



1. 


Date of actual receipt of the purported 
intemational application: 


2^de:::33 2003 (2^.12.03 


\ 2. Drawings: 
/ 1 1 received: 


3. 


Corrected date of actual receipt due to later but 
timely received papers or drawings completing 
the purported intemational application: 






4. 


Date of timely receipt of the required 
corrections under PCT Article 1 1(2): 






1 1 not received: 


5. 


Intemational Searching Authority 

(if two or more are competent): ISA / 




6. 1 — 1 Transmittal of search copy delayed 
1 1 until search fee is paid 





For Intemational Bureau use only 



Date of receipt of the record copy 
by the Intemational Bureau: 
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USER AOTHKNTICATION METHOD BASED ON THE UTILIZATION OF 
BIOMETRIC IDENTIFICATION TECHNICS AND RELATED 
ARCHITECTURE 

***** 

5 The present invention refers in general to the 

field of secure authentication system. More 
particularly, the present invention- refers to a user 
authentication method based on the utilization of 
biometric identification technics and related 
10 architecture. 

Authentication is the process by which an entity, 
such as a financial institution, a bank, etc., 
identifies and verifies its customers or users to 
itself and identifies and verifies itself to its 
15 customers or users . 

Authentication includes the use of physical 
objects, such as cards and/or keys, shared secrets, 
such as Personal Identification Numbers (PIN's) and/or 
passwords, and biometric technologies such as voice 
2 0 prints, photos, signatures and/or fingerprints. 
Biometric tasks include, for example, an identification 
task and a verification task. The verification task 
determines whether or not the person claiming an 
identity is really the person whose identity has been 
25 claimed. 

The identification task determines whether the 
biometric signal, such as a fingerprint, matches that 
of someone already enrolled in the system. 

Various biometrics have been considered for use 
30 with smart cards, such as fingerprints, hand prints, 
voice prints, retinal images, handwriting samples and 
the like. 
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An example of a biometric-based smartcard is shown 
in US-A-5 , 280 , 527 describing a credit card sized token 
(referred to as biometric security apparatus) 
containing a microchip, in which a sample of the 
5 authorised user's voice- is stored. In order to gain 
access to an account, the user must insert the token 
into a designated slot of an ATM, and then speak with 
the ATM. If a match is found between the user's voice 
and the sample enrolment of the voice stored into the 
10 microchip, access to the account is granted. 

Although the system disclosed in US-A-5 , 280 , 527 
reduces the risks of unauthorised access, if compared 
with conventional PIN-based systems, however, to the 
extent that the credit card and the microchip disposed 
15 therein can be tampered with, the system does not 
provide the level of reliability and security that is 
often required in nowadays finance transactions. 

In WO-A- 0139134 a security system is further 
disclosed, comprising: a central unit with a biometric 

2 0 sensor to detect biometric data representing 

characteristic biometric features of a person; at least 
one portable data carrier; a memory means for storing 
biometric reference data representing the biometric 
reference features of the person in the system; a 
25 control system capable of generating an authorisation 
signal to control a functional unit depending on a 
comparison between the biometric data detected by the 
sensor and the reference data. 

In the security system proposed in such document, 

3 0 the reference data, that are compared with the 

biometric data detected by the sensor to ascertain the 
authenticity of the- user, are not wholly stored into 
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the data carrier, in the conventional manner, but are 
splitted, partly in the data carrier and partly in the 
reading device. Only the combination of data carrier 
and reading device will produce the complete 
5 information needed for authentication. 

The invention is particularly advantageous if the 
biometric sensor ^is a fingerprint sensor. A fingerprint 
sensor determines the locally resolved position of 
minutiae of the fingerprint. The minutiae are singular 

10 points of the papillary lines of a fingerprint. These 
might be end points, branches or similar points of the 
papillary lines of the fingerprint. The local position 
is determined depending on the distance from a 
reference point or radius to the angle related to a 

15 reference direction. 

In order to personalise the data carrier, the 
fingerprint of the data carrier owner is reproduced and 
appropriate reference values are determined for radius 

* 

and angle . These values are then stored into the 

2 0 system. For practical purpose, the radius reference 

data are stored only on the data carrier and the angle 
reference data are stored only on the reading device. 
Alternatively, the angle reference data are stored in 
the data carrier and the distance reference data are 
25 stored on the reading device. 

The Applicant faced the problem of realising a 
method for authenticating users based on the use of 
biometric identification technics, that is secure, 
independent from the used biometric identification 

3 0 technics and that protects user privacy. 

The Applicant has observed ^ that the above- 
..descrijoed problem can be ^solved by a user 




authentication method based on the use of biometric 
identification technics comprising the steps of: 
generating a reference biometric template from a first 
biometric image of a user to be authenticated and, 
afterwards, splitting the reference biometric template 
into a first and a second reference biometric template 
portion, said first and second reference biometric 
template portion being separable. The first and the 
second biometric reference template portion are then 
signed, ciphered and stored in different memories. 

More specifically, a user authentication method 
based on the use of biometric identification technics 
comprises an enrolment step and a verification step, 
said enrolment step including the steps of: 

- generating a reference biometric template from a 
first biometric image of a user to be authenticated; 

- splitting said reference biometric template into 
a first and a second reference biometric template 
portion; 

ciphering said first and second reference 
biometric template portion; and 

- storing each one of said reference biometric 
template portions into a different memory. 

Another aspect of the present invention refers to 
an architecture based on the use of biometric 
identification technics comprising: 

at least one data enrolment system for 
generating a reference biometric template from a first 
biometric image of a user to be authenticated, said 
data enrolment system comprising a Host Computer for 
splitting said reference biometric template into a 
first and a second .reference biometric template^^^portion 
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that are physically separable and for ciphering said 
first and second reference biometric template portion; 

- at least one portable data carrier associated 
with said user to be authenticated, said data carrier 

5 . comprising a memory for storing said first signed and 
ciphered reference biometric template portion; and 

at least one - data verification system 
comprising a memory for storing said second signed and 
ciphered reference biometric template portion. 

10 Another aspect of the present invention refers to 

a portable data carrier associated with a user that has 
to be authenticated through a user authentication 
architecture, said data carrier including a 
microprocessor comprising a memory for storing a first 

15 reference biometric template portion associated with 
said user to be authenticated, said first reference 
biometric template portion being signed and ciphered, 
said portable data carrier being adapted to received as 
input, from said user authentication architecture, a 

2 0 second reference biometric template portion and a 

template live associated with said user to be 
authenticated, said second reference biometric template 
portion and said template live being signed and 
ciphered, said microprocessor further comprising: 
25 - a processing logic for ciphering said first and 

second reference biometric template portion and for 
recomposing therefrom said reference biometric template 
associated with said user to be authenticated; 

- a comparing logic for comparing said reference 

3 0 biometric template recomposed with said template live 

and sending a result of said comparison to said user 
^w^^ authentication .architecture. . 
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Another aspect of the present invention refers to 
a data verification system comprising an electronic 
device and a portable data carrier associated with a 
user that has to be authenticated, said data carrier 
5 being adapted to store a first reference biometric 
template portion associated with a user to be 
authenticated, said first reference biometric template 
portion being signed and ciphered ; 

said electronic device comprising: 

10 - a memory adapted to store a second reference 

biometric template portion associated with a user to be 
authenticated, complementary with said first portion, 
said second reference biometric template portion being 
signed and ciphered; 

15 - an image acquiring and processing device for 

generating a template live; 

said electronic device being adapted to cipher and 
sign said template live, transmit said second reference 
biometric template portion and said template live to 

2 0 said portable data carrier and authenticate said user 
depending on the result of a comparison performed by 
said data carrier between said template live and a 
reference biometric template of said user to be 
authenticated, said reference biometric template being 

2 5 recomposed by using said first and second reference 

biometric template portion. 

A further aspect of the present invention deals 
with a computer program product that can be loaded in 
the memory of at least one electronic processor and 

3 0 comprising portions of software code to perform the 

process according to the invention when the product is 
executed _ on a processor: .in this, context such diction 
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must be deemed equivalent to the mention of a means 
readable by a computer comprising instructions to 
control a network of computers in order to perform a 
process according to the invention. The reference to 
5 ''at least one electronic processor" is obviously aimed 
to point out the . possibility of carrying out the 
solution according to the invention in a de- centralised 
context . 

Further preferred aspects of the present invention 
10 are disclosed ' in the dependent claims and in the 
present description . 

The features and the advantages of the present 
invention will result from the herein below description 
of an embodiment, provided as a non-limiting example, 
15 with reference to the enclosed drawings, in which: 

- figure 1 is a schematic representation of a user 
authentication architecture according to the invention; 

figure 2 shows a flow diagram related to 
implementing a first step of a user authentication 
2 0 method according to the invention; and 

figure 3 shows a flow diagram related to 
implementing a second step of the user authentication 
method according to" the invention. 

With reference to figure 1, the user 
25 authentication method according to the invention is 
applied to a user authentication architecture 1 
comprising a data enrolment system 2, a data 
verification system 3 and a portable data carrier 4, 
this latter one belonging to a user that has to be 
30' authenticated. The data carrier 4 can be a substrate 
whose sizes are substantially rectangular, such as for 
example an access card^^a credit card, .a debit, card, an 
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identification card, a smart card, a SIM card. The data 
carrier 4 is equipped with a microprocessor 5 including 
a processing logic 5a, a comparing logic 5b and a 
memory 6 . 

5 Always with reference to figure 1, in a preferred 

embodiment, the data enrolment system 2 comprises a 
Host Computer 7, for example a personal computer, a 
business computer, etc., having enough memory 7a to 
store biometric data of a user that has to be 

10 authenticated. The data enrolment system 2 can also 
include an image acquiring and processing device 8, 
connected to the Host Computer 7, and a data 
reading/writing device 60, also connected to the Host 
Computer 7 realising the interface with the data 

15 carrier 4, The data reading/writing device 60 can be, 
for example, a smart card reader, if the data carrier 4 
is a smart card, or a cellular phone, if the data 
carrier 4 is a SIM card. 

Specifically, the image acquiring and processing 

2 0 device 8 includes: a sensor 9 of the biometric type, 
for example a television camera, to detect a first 
biometric image of the user that has to be 
authenticated, for example a face- template; an image 
processor 10, connected between sensor 9 and Host 

25 Computer 7, to generate a reference biometric template 
from the user biometric image, detected through sensor 
9. 

Preferably, the data enrolment system 2 is a 
separated system from the data verification system 3 
30 and is placed in a secure environment. 

In a preferred embodiment, the data verification 
system 3 comprises an electronic d@sri.ce 11, for example 
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a personal computer, a palmtop i::omputer, a cellular 
telephone, an hand-held PC, a smart -phone, having 
enough memory 11a to store biometric data of a user 
that has to be authenticated. 

The data verification system 3 can ■ also comprise: 
a data base, of a known type and therefore not shown in 
figure 1, managed by a remote system connected to the 
electronic device 11; an image acquiring and processing 
device 12; a data reading/writing device 61 realising 
the interface with the data carrier 4 . The image 
acquiring and processing device 12 and the data 
reading/writing device 61 are both connected to the 
electronic device 11. Moreover, the data 
reading/writing device 61 can be, for example, a smart 
card reader, if the data carrier 4 is a smart card, or 
a cellular phone, if the data carrier 4 is a SIM card. 

Specifically, the image acquiring and processing 
device 12 comprises: a sensor 13, of the biometric 
type, for example a television camera, to detect a 
second biometric image (the face template) of the user 
that has to be authenticated. The image acquiring and 
processing device . 12 also includes an image processor 
14, connected between sensor 13 and electronic device 
11, to generate a template live from the > user biometric 
image detected through the sensor 13 . The electronic 
device 11 can also comprise a processing logic (not 
shown in figure 1) able to read and interpret the 
comparison operation result between reference biometric 
template and template live performed by the data 
carrier 4, as will be described more in detail below. 

It is better to state that, in the following 
description, for ciphering and deciphering iilometric 
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data, cryptographic algorithms of the asymmetrical 
type, for example the RSA algorithm, are preferably 
used. In particular, these algorithms are based on the 
use of two different keys in the data ciphering and 
deciphering steps and on the existence of a PKI (Public 
Key Infrastructure) , for example based on standard 
X.509 described in R. Housley, Internet X.509 Piiblic 
Key Infrastructure Certificate and CRL Profile, RFC 
2459, 1999. 

The user authentication method, according to the 
invention, will now be described with reference to the 
flow diagrams shown in figures 2-3. 

In a preferred embodiment, the method according to 
the invention comprises an enrolment step 20, performed 
by the data enrolment system 2 and shown in figure 2, 
and a verification step 40, performed by the data 
verification system 3 and the data carrier 4 and shown 
in figure 3 . 

With reference to figure 2, initially the 
enrolment step 2 0 provides an initialisation step 21 of 
the data enrolment system 2, of the data verification 
system 3 and the data carrier 4 . 

Specifically, the initialisation step 21 provides: 

- storing, in the memory 7a of Host Computer 7, a 
pair of public KEpub and private KEpr keys associated 
with the data enrolment system 2, the related digital 
certificate Ce containing the public key KEpub signed 
with the private key issued by a secure Certification 
Authority and, possibly, the digital certificate Cac of 
the same Certification Authority; 

- storing, in the memory 6 of data carrier 4, a 
^pair of public KUpub 5ind private^ KUpr keys associated 
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with the user to be authenticated, the related digital 
certificate Cu containing the public key KU^ub signed 
with the private key of the secure Certification 
Authority and, possibly, the digital certificate Cac of 
5 the -;same Certification Authority. Alternatively, the 
data carrier 4 initialisation can provide for the 
generation of the pair of public and private keys KUpub/ 
KUpr aboard the data carrier 4 itself (on-card) and the 
transmission of the certification request for the 

10 public key KUpub to the secure Certification Authority. 
The initialisation process is then finalised by 
installing the user digital certificate Cu on the data 
carrier 4 and distributing the related certificate to 
the data enrolment system 2 and the data verification 

15 system 3 . All these operations can be performed in the 
microprocessor 5; and 

- storing, in the memory 11a of electronic device 
11, a file containing a pair of public KVp^b and private 
KVpr keys associated with the data verification system 

20 3, the related digital certificate Cv containing the 
public key KVpub signed with the private key issued by 
the secure Certification Authority and, possibly, the 
digital certificate Cac of the same Certification 
Authority. 

25 The enrolment step 2 0 then proceeds with 

detecting, through the sensor 9, a first biometric 
image of the user to be authenticated (block 22) . 
Afterwards, the first biometric image is transferred to 
the image processor 10 that generates the reference 

3 0 biometric template (block 23) . 

The reference biometric template is then stored 
into the memoary 7a of the Host Computer 7 (block 24). 
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Afterwards, the Host Computer 7 decomposes the 
reference biometric template into a first and a second 
reference biometric template portion (block 25) , using 
a splitting algorithm that will be described more in 
5 detail herein below, and then destroys the original 
copy of the reference biometric template (block 26) . 

At this time, the Host Computer 7 signs the fir^t 
and the second reference biometric template portion 
with the private key KEpr of the data enrolment system 2 
10 (block 27) and then ciphers the two portions with the 
public key KUp^ of the user to be authenticated (block 
28) . 

Afterwards, the Host Computer 7 transfers the 
first reference biometric template portion onto the 
15 data carrier 4 (block 29) . Here, the first reference 
biometric template portion is stored into a protected 
area 6a (shown in figure 1) of the memory 6 (block 3 0) . 
For example, the memory 6a area' can be protected 
t hr ough PIN. 

2 0 Communication between data enrolment system 2 and 

data carrier 4 can occur for example though the 
communication protocol implemented in the 

reading/ writing device 60. The reading/writing device 
60 is also equipped with a logic (an application 
25 program) that checks the data transfer. 

The second reference biometric template portion is 
instead transferred and stored into the memory 11a of 
the electronic device 11 (block 31) • 

Alternatively, the second reference biometric 

3 0 template portion can be transferred and stored into the 

data base . 
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The transfer of the second reference biometric 
template portion from data enrolment system 2 to 
electronic device 11, or to data base, can occur by 
using methods of the OOB (^^Out Of Band") type. In 
5 particular, these methods assume that " data are not 
transferred in a network, but are transferred using 
alternative communication channels, such as, for 
example, a telephone channel or the traditional mail. 

Less preferably, the transfer of the second 
10 reference biometric template portion can occur through 
a modem or a communication network, for example a 

TCP/IP or GSM network. 

With reference now to figure 3, the verification 
step 4 0 starts when a user, by entering the data 
15 carrier 4 into the data reading/writing device 61, asks 
the user architecture 1 to be authenticated (block 
4 0a) . Under these conditions, the data verification 
system 3, through the sensor 13, detects a second 
biometric image of the user that has to be 

2 0 authenticated (block 41) . This second biometric image 

is then transferred to the image processor 14 that 
generates the template live (block 42) . Afterwards, the 
template live is sent to the electronic device 11 that 
signs it with the private key KVpr of the data 
25 verification system 3 and ciphers it with the public 
key of the user KUpub (block 43) . 

At that time, the electronic device 11, through 
the reading/writing device 61, transmits to the data 
carrier 4 both the template live and the second 

3 0 reference biometric template portion, this latter one 

stored locally or recovered by the data base, enclosing 
a univocal Nonce (namely an aleat£)xy value, used a 
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single time in a cryptographic scheme) to guarantee the 
authenticity of the current data verification session 
(block 44) . The uni vocal Nonce is also ciphered and 
signed. Such operation guarantees for example the 
5 protection from the so-called replay attacks (attacks 
where the attacking person is an authorised user that 
re-proposes to . the system, in a following 
authentication session, a previously positive 
authentication session as regards the interested user) . 
10 Communication between data verification system 3 

and data carrier 4 can occur for example through the 
communication protocol implemented in the 

reading/writing device 61. The reading/writing device 
61 is also equipped with a logic (an application 
15 program) that checks the data transfer. 

Afterwards, the data carrier 4, using its own 
private key KUpr, deciphers the second reference 
biometric template portion and checks its signature by 
using the public key KEp^b of the data enrolment system 
20 2 (block 45) . In case of check success, the data 
carrier 4, through a re -composition algorithm, stored 
into the memory 6 and shown below, re -composes the 
reference biometric template (block 46) using the now 
deciphered second reference biometric template portion 
25 and the first reference biometric template portion, 
stored into the protected memory area 6a. 

Afterwards, the data carrier 4, using its own 
private key KUpr, deciphers the template live 
transmitted by the data verification system 3 and 
checks its signature by using the p\iblic key KVpub of 
the data verification system 3 (block 47) . 
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If all previously-described check operations 
realised through the processing logic 5a of the 
microprocessor 5, have a positive result, the data 
carrier 4 performs a comparison operation between the 
reference biometric • template and the template live 
(block 48) . 

Preferably, the comparison operation is performed 
by the comparing logic 5b of the microprocessor 5 as an 
atomic operation using known comparison functions 
depending on the biometric identification technics 
used. For example, for the face template, as comparison 
functions, those provided in the Principal Component 
Analysis (Eigenfaces) or Local Features Analysis, or 
Neural Networks or 3D or wavelet Gabor, etc. technics 
can be used. 

Afterwards, the data carrier 4 transfers to the 
data verification system 3 the comparison operation 
result together with the univocal Nonce previously 
received by the data verification system itself (block 
49) . 

The comparison operation result and the univocal 
Nonce can for example be sent as a message signed with 
the user private key KUpr and ciphered with the public 
key KVpub of the data verification system 3 - 

At this time, the electronic device 11, using the 
private key KVpr of the data verification system 3, 
deciphers the message sent thereto by the data carrier 
4, checks its signature, and, depending on the 
comparison operation result, grants or not the user 
access to the required service (block 50) . 

In case a data base is used for storing the second 
..reference biometric template portion, it is. necessary 
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to make secure also the communication between 
electronic device 11 and remote data base managing 
system. This can be obtained by using, for example, the 
previously-described authentication, privacy and non- 
5 repudiation cryptographic mechanisms, in order to 
guarantee the authentication of affected parts, in 
addition to integrity and privacy of transferred data. 

Moreover, the remote data base managing system can 
use access control methods, of the Access Control List 

10 type (with user authentication through userlD and 
Password or through digital certificates) to guarantee 
a secure access to data contained in the data base. 

Preferably, the splitting algorithm used by the 
data enrolment system 2 to split the reference 

15 biometric template into the two portions of reference 
biometric template, is a secret splitting algorithm, 
that can be used in the cryptographic techniques of the 
"secret sharing scheme" type. In this case a secret is 
divided into N parts, securely transferred to N 

2 0 entities with the property that, starting from a single 
part of the secret, the original cannot be rebuilt. An 
algorithm of this type is for example described in H. 
Feistel in "Cryptographic Coding for Data-Banking 
Privacy", IBM Research, New York, 1970. 

25 More in detail, the splitting algorithm comprises 

an enrolment step in which the data enrolment system 2 
that created the template t (the reference biometric 
template) generates a random number ti (the first 
reference biometric template portion) of the same size 

30 (length) of the template t. Afterwards the data 
enrolment system 2 applies a XOR function to t and ti to 



generate a value ts (the second reference biometric 
template portion) , namely: 
t XOR ti = t2 

ti is then stored in a protected mode (that provides for 
signature and ciphering) on the data carrier 4 while ts 
is stored in a protected mode (that provides for 
signature and ciphering) on the data verification 
system 3 or in the central data base. 

The re-composition algorithm for the template t, 
used by the data carrier .4 to. re-compose the template t 
from ti and ts, is, mathematically, the reverse function 
of the previously- described splitting algorithm. In 
particular, the data carrier 4, after having obtained 
t2, performs the XOR between ti and ta rebuilding the 
original value of the template t, namely: 

ti XOR t2 = t. 

If all described operations are correctly 
performed, the technic is secure since by possessing a 
single part, tl or t2, it is not possible to go back to 

the template t. 

The advantages that can be obtained with the 
described user authentication method are as follows. 

Firstly, the user authentication method is secure 
since an hacker that tries to violate either the data 
carrier 4 or the data verification system 3 does not 
obtain enough elements to go back to the reference 
biometric template, since this latter one is partly 
stored in the data carrier 4 and partly in the data 
verification system 3. In this way, both user privacy 
compliance, and the chance of using the same biometric 
technic also in case of violation/corruption of only 
one part of the reference biometric template, are 
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guaranteed. In fact, the reference biometric template 
is a piece of information depending on the used 
biometric technic: by applying the same biometric 
technic to the image of the same person, a reference 
biometric template is obtained .t.hat is very similar to 
the original one. Therefore, if the whole reference 
biometric template falls in the hand of an hacker, this 
latter one could use it for disguising as the user 
enabled to the service, impairing the used biometric 
technic- Moreover, it is plausible that, through a 
reverse -engineering process, the hacker can go back to 
the mode used by the biometric technic to produce the 
reference biometric template. In this way, the relevant 
biometric technic is no more secure. 

Moreover, the user authentication method according 
to the invention is also advantageous in case the 
authentication is mandatory for the access to an on- 
line service, in which the operator providing the 
service controls the data verification system 3 . In 
fact, the operator offering the service can go on 
keeping the control over the verification of the users 
because-, according "to the invention, both .data carrier 
4 and data verification system 3 concur in performing 
the verification step in a secure way that cannot be 
repudiated (the non- repudiation of a session implies 
the impossibility for a user to negate having 
participated into the session itself) . 

Moreover, the global security provided by the user 
authentication method according to the invention is 
further increased by the fact that the creation logic 
of the reference biometric template 11 does not reside 
on the data carrier 4 but on the data^j^jirolment system 
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2 that, preferably, is a separate system from the data 
verification system 3 and placed in a secure 
environment- On the data carrier 4 there are only the 
processing logic 5a that re-composes the reference 
biometric template and also performs the suitable 
cryptographic operations and the comparing logic 5b 
computing the correlation between reference biometric 
template and template live. 

It is finally clear that to the herein described 
and shown user authentication method and its related 
architecture numerous modifications and variations can 
be made, all falling within the scope of the inventive 
concept, as defined in the enclosed claims. 

For example, biometric technics can be used that 
are different from face recognition, such as 
fingerprints, hand prints, voice templates, retinal 
images, calligraphic samples and the like. 

Moreover, the user authentication method according 
to the invention can be applied to different scenarios, 

such as for example: 

Stand Alone scenario, in which the user 
authentication method according to the invention is 
used to protect the access to the data verification 
system 3 (ex. login to personal computer, palmtop, 
cellular phone-SIM) by a user provided with the data 
carrier 4; 

client-server scenario, in which the client 
scenario comprises the data carrier 4, preferably 
realises as a SIM-card, and a client portion of the 
data verification system 3, while the server scenario 
comprises a server portion of the data verification 
system 3. In particular, the server portion of the-, ^ata 
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verification system 3 can coincide or not with a 
central server (for example the server offering the 
required service) . In this case, the client portion of 
the data verification system 3 can perform a more or 
5 less active role in the authentication process- For 
• example, the client portion of the data verification 
system 3 can perform the function of detecting the 
biometric image of the user that has to be 
authenticated, then transferring it to the central 

10 server to which instead the template live generation is 
entrusted; the central server will then take care of 
transferring the template live to the client portion of 
the data verification system 3 . 

Alternatively, the client portion of the data 

15 verification system 3 can also generate the template 
live . 

In both scenarios taken into account, the 
comparison operation between reference biometric 
template and template live is performed on the data 

2 0 carrier 4, then the recomposed reference biometric 
template never goes out of the data carrier 4 . The 
result .of this operation is then transferred in a 
secure way (for example ciphered and signed) to the 
central server that decides whether granting or not the 

25 authorisation. 
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CLAIMS 

1. User authentication method based on the use 
of identification biometric ■ technics comprising an 
enrolment step (20) and a verification step (40) , said 
enrolment step (20) including the steps of: 

generating (22, 23) a reference^ biometric 
template from a first biometric image of a user to be 

authent i cat ed ; 

- splitting (25) said reference biometric template 
into a first and ' a second reference biometric template 
portion; 

- ciphering (27, 28) said first and second 
reference biometric template portion; and 

- storing (29, 30, 31) each one of said reference 
biometric template portions into a different memory. 

2. Method according to Claim 1, characterised in 
that said step of storing each one of said reference 
biometric template portions into a different memory 

comprises the step of: 

- transmitting (29) said first reference biometric 
template portion from a first system (2) to a device 
(4) , said first system (2) operating in said enrolment 
step (2 0) ; 

storing (3 0) said first reference biometric 
template portion into a memory (6) of said device (4) , 
said device (4) operating in said verification step 
(40) ; 

transmitting (31) said second reference 
biometric template portion from said first system (2) 
to a second system (3) , said second system (3) 
operating in said, verification step (4 0) ; and 
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storing (31) said second reference biometric 
template portion into a memory (11a) of said second 
system (3) . 

3. Method according to any one of Claims 1 or 2 , 
5 characterised in that said verification step (4 0) 

comprises the steps of: 

generating (41, 42) a template live from a 
second biometric image of said user to be 
authenticated; 
10 - ciphering (43) said template live; and 

- transmitting (44) said template live and said 
second reference biometric template portion to said 
device (4) . 

4. Method according to Claim 3, characterised in 
15 that said verification step (4 0) comprises the steps 

of : 

- deciphering (45, 47) said template live and said 
second reference biometric template portion; 

re-composing (46) said reference biometric 

2 0 template from said first and second reference biometric 

template portion; and 

comparing (4 8) said re -composed reference 
biometric template with said template live. 

5. Method according to Claim 4, characterised in 
25 that said verification step (40) comprises the steps 

of : 

- sending (49) a result of said comparison to said 
second system (3) ; and 

- authenticating (50) or not authenticating said 

3 0 user depending on said result. 

6. Method according to any one of Claims 2-5, 
characterised in that sald^ step of splitting said„ 
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reference biometric template into a first and a second 

reference biometric template portion comprises the step 
of : 

- destroying said biometric template performed by 
5 said first system (2) . 

7. Method according to any one of Claims 2-6, 
characterised in that said step of ciphering (27, 28) 
said first and second reference biometric template 
portion comprises the steps of : 

10 - storing (21) a first and a second key (KEpub/ 

KEpr) and a related digital certificate (Ce) into a 
memory (7a) of said first system (2) , said first and 
second keys (KEpub/ KEpr) being respectively a public key 
(KEpub) and a private key (KEpr) associated with said 

15 first system (2) ; 

- storing (21) a first and a second key (KUpub/ 
KUpr) and a related digital certificate (Cu) into said 
memory (6) of said device (4) , said first and second 
keys (KUpub/ KUpr) being respectively a public key (KUpub) 

2 0 and a private key (KUpr) associated with said user to be 

authenticated; 

signing (27) said first and second reference 
biometric template portion with said private key (KEpr) 
of said first system (2) ; and 
25 - ciphering (28) said first and second reference 

biometric template portion with said public key (KUpub) 
of said user to be authenticated. 

8. Method according to any one of Claims 3-7, 
characterised in that said step of transmitting said 

3 0 template live and said second reference biometric 

template portion to said device (4) comprises the steps 

of:- - 
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- generating an aleatory value associated with the 
current data verification step (4 0) , said aleatory 
value guaranteeing the" authenticity of said current 
data verification step (4 0) ; 

- signing and ciphering said aleatory value; and 

- transmitting said aleatory value to said device 

(4) . 

9. Method according to Claims 7 or 8, 
characterised in that said step of ciphering said 
comparison biometric template comprises the steps of: 

- storing a first and a second key (KVpub/ KVpr) and 
a related digital certificate (Cv) into said memory 
(11a) of said second system (3), said first and second 
keys (KVpub/ KVpr) being respectively a public key (KVpub) 
and a private key (KVpr) associated with said second 
system (3) ; 

signing (43) said template live with said 
private key (KVpr) of said second system (3) ; and 

- ciphering (43) said template live with said 
public key (KUp^b) of said user to be authenticated. 

10. Method according to any one of Claims 8 or 9, 
characterised in that said step of deciphering said 
template live and said second reference biometric 
template portion comprises the steps of : 

- deciphering the signature and the validity of 

said aleatory value; 

- deciphering (45) said second reference biometric 
template portion with said private key (KUpr) of said 
user to be authenticated; 

- verification its signature (45) 

- deciphering (47) said template live with said 
private key (KUpr) of said user to be authenticated; and. 
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- verification its signature (47) . 

11. Method according to any one of Claims 5-10, 
characterised in that said step of sending a result of 
said comparison to said second device (11) comprises 

5 the steps of : 

- generating a message containing said result; 

- ciphering said message - 

12 . Method according to any one of the previous 
claims, characterised in that said identification 

10 biometric technics comprise at least one biometric 
identification technic of the type selected among: face 
recognition, fingerprints, hand prints, voice 
templates, retinal images, calligraphic samples. 

13. Method according to any one of Claims 2-12,- 
15 characterised in that said first and second system (2) , 

(3) are respectively a data enrolment system and a data 
verification system and said device (4) is a data 
carrier. 

14. User authentication architecture bases on the 

2 0 use of biometric identification technics comprising: 

at least one data enrolment system (2) for 
generating a reference biometric template from a first 
biometric image of a user to be authenticated, said 
data enrolment system (2) comprising a Host Computer 
25 (7) to split said reference biometric template into a 
first and a second reference biometric template portion 
and for ciphering said first and second reference 
biometric template portion; 

at least one portable data carrier (4) 

3 0 associated with said user to be authenticated, said 

data carrier (4) comprising a memory (6a) for storing 
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said first signed and ciphered reference biometric 

template portion; and 

at least one data verification system (3) 
comprising a memory (11a) for storing said second 
5 signed and ciphered reference biometric template 
portion. 

15. Architecture according to Claim 14, 
characterised in that said data carrier (4) comprises a 
microprocessor (5) including a processing logic (5a) 
10 for deciphering said first and second reference 
biometric template portion, verification the signature 
and re-composing said reference biometric template from 
said first and second deciphered reference biometric 

template portion. 

15 16. Architecture according to Claim 15, 

characterised in that said microprocessor (5) comprises 
a comparing logic (5b) to compare said re-composed 
reference biometric template with a template live 
generated by a second biometric image of the user to be 

2 0 authenticated, said second biometric image of the user 
to be authenticated being generated by the data 
verification system (3) . 

17. Portable data carrier (4) associated with a 
user that has to be authenticated through a user 

2 5 authentication architecture (1) , said data carrier (4) 

including a microprocessor (5) comprising a memory (6) 
for storing a first reference biometric template 
portion associated with said user to be authenticated, 
said first reference biometric template portion being 

3 0 signed and ciphered, said portable data carrier being 

adapted to receive as input, from said user 
authentication _a.xchitecture , a second ^ reference 
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biometric template portion and » a template live 
associated with said user to be authenticated, said 
second reference biometric template portion and said 
template live being signed and ciphered, said 
microprocessor (5) further comprising: 

a processing logic (5a) for deciphering said 
first and second reference biometric template portions 
and for re-composing therefrom said reference biometric 
template associated with said user to be authenticated; 

a comparing logic (5b) for comparing said 
reference biometric template re-composed with said 
template live and sending a result of said comparison 
to said user authentication architecture (1) . 

18. Data carrier according to Claim 17, 
characterised in that it comprises a substrate whose 
sizes are substantially rectangular. 

19. Data carrier according to any one of Claims 17 
or 18, characterised in that said data carrier (4) is 
an access card or a credit card or a debit card or an 
identification card or a smart card or a SIM card. 

20. Data verification system (3) comprising an 
electronic device (11) and a portable data carrier (4) 
associated with a user that has to be authenticated, 
said data carrier being adapted to store a first 
reference biometric template portion associated with a 
user to be authenticated, said first reference 
biometric template portion being signed and ciphered; 

said electronic device comprising: 

a memory (11a) adapted to store a second 
reference biometric template portion associated with a 
user to be authenticated, complementary to said first 
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portion, said second reference biometric template 
portion being signed and ciphered; 

- an image acquiring and processing device (12) 
for generating a template live; 

said electronic device (11) being adapted to cipher and 
sign said template live, transmitting said second 
reference biometric template portion and said template 
live to said portable data carrier (4) and 
authenticating said user depending on the result of a 
comparison performed by said data carrier (4) between 
said template live and a reference biometric template 
of said user to be authenticated, said reference 
biometric template being rebuilt by using said first 
and second reference biometric template portion. 

21, Program for electronic processor that can be 
loaded into the memory of at least one electronic 
processor and including program codes for performing 
the steps of the method according to any one of Claims 
1-13 when said program is executed by said electronic 
processor. 




ABSTRACT 



The present invention refers to a user 
authentication method based on the use of 
5 identification biometric technics comprising the steps 
of : 

- generating a reference biometric template from a 
first biometric image of a user to be authenticated; 

- splitting the reference biometric template into 
10 a first and a second reference biometric template 

portion that can be physically separated; 

- signing and ciphering the first and the second 
reference biometric template portion; 

- storing the signed and ciphered first and the 
15 second reference biometric template portion into 

different memories . 
(Fig.l) 
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